2014-10-05 14:13:01 -05:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2015-01-27 05:05:23 -06:00
|
|
|
"net/url"
|
2015-01-14 02:33:34 -06:00
|
|
|
"strings"
|
2014-11-20 08:19:44 -06:00
|
|
|
|
2016-01-13 08:11:23 -06:00
|
|
|
"gopkg.in/macaron.v1"
|
2015-01-14 07:25:12 -06:00
|
|
|
|
2015-02-05 03:37:13 -06:00
|
|
|
m "github.com/grafana/grafana/pkg/models"
|
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2014-10-05 14:13:01 -05:00
|
|
|
)
|
|
|
|
|
2015-01-15 05:16:54 -06:00
|
|
|
type AuthOptions struct {
|
2015-01-16 07:32:18 -06:00
|
|
|
ReqGrafanaAdmin bool
|
|
|
|
ReqSignedIn bool
|
2015-01-15 05:16:54 -06:00
|
|
|
}
|
|
|
|
|
2015-01-19 11:01:04 -06:00
|
|
|
func getRequestUserId(c *Context) int64 {
|
2015-01-29 05:10:34 -06:00
|
|
|
userId := c.Session.Get(SESS_KEY_USERID)
|
2014-10-05 14:13:01 -05:00
|
|
|
|
2015-01-19 11:01:04 -06:00
|
|
|
if userId != nil {
|
|
|
|
return userId.(int64)
|
2015-01-15 05:16:54 -06:00
|
|
|
}
|
2015-01-07 09:37:24 -06:00
|
|
|
|
2015-01-16 09:15:35 -06:00
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
2015-01-27 01:26:11 -06:00
|
|
|
func getApiKey(c *Context) string {
|
2015-01-15 05:16:54 -06:00
|
|
|
header := c.Req.Header.Get("Authorization")
|
|
|
|
parts := strings.SplitN(header, " ", 2)
|
2015-04-01 08:23:26 -05:00
|
|
|
if len(parts) == 2 && parts[0] == "Bearer" {
|
2015-01-27 01:26:11 -06:00
|
|
|
key := parts[1]
|
|
|
|
return key
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2015-01-16 09:15:35 -06:00
|
|
|
return ""
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2015-09-08 03:46:31 -05:00
|
|
|
func accessForbidden(c *Context) {
|
2015-01-14 07:25:12 -06:00
|
|
|
if c.IsApiRequest() {
|
2015-09-08 03:46:31 -05:00
|
|
|
c.JsonApiErr(403, "Permission denied", nil)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
|
|
|
|
c.Redirect(setting.AppSubUrl + "/login")
|
|
|
|
}
|
|
|
|
|
|
|
|
func notAuthorized(c *Context) {
|
|
|
|
if c.IsApiRequest() {
|
|
|
|
c.JsonApiErr(401, "Unauthorized", nil)
|
2015-01-27 05:05:23 -06:00
|
|
|
return
|
2015-01-14 07:25:12 -06:00
|
|
|
}
|
|
|
|
|
2015-03-31 07:03:01 -05:00
|
|
|
c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
|
2015-01-04 14:03:40 -06:00
|
|
|
c.Redirect(setting.AppSubUrl + "/login")
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2015-01-16 08:28:44 -06:00
|
|
|
func RoleAuth(roles ...m.RoleType) macaron.Handler {
|
|
|
|
return func(c *Context) {
|
|
|
|
ok := false
|
|
|
|
for _, role := range roles {
|
2015-02-23 13:07:49 -06:00
|
|
|
if role == c.OrgRole {
|
2015-01-16 08:28:44 -06:00
|
|
|
ok = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !ok {
|
2015-09-08 03:46:31 -05:00
|
|
|
accessForbidden(c)
|
2015-01-16 08:28:44 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-01-15 05:16:54 -06:00
|
|
|
func Auth(options *AuthOptions) macaron.Handler {
|
|
|
|
return func(c *Context) {
|
2015-09-08 03:46:31 -05:00
|
|
|
if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
|
|
|
|
notAuthorized(c)
|
2015-01-15 05:16:54 -06:00
|
|
|
return
|
|
|
|
}
|
2015-01-14 02:33:34 -06:00
|
|
|
|
2015-09-08 03:46:31 -05:00
|
|
|
if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
|
|
|
|
accessForbidden(c)
|
2015-01-15 05:16:54 -06:00
|
|
|
return
|
2015-01-14 02:33:34 -06:00
|
|
|
}
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
}
|